How To Calculate The Cost Of A Hospital Data Breach

March 13, 2012

By Ron Shinkman

Although hospital operators know that a data breach can lead to significant consequences–lawsuits, loss of business and reputation–a new report by the American National Standards Institute (ANSI) can help them place a specific price tag on such mishaps.

The report released last week includes a section on what it refers to as “PHIve”–a five-step process for putting a cost on a specific data breach, notedMedHealthWorld.

The method involves toting up all “homes” within a hospital or healthcare system that are repositories for protected healthcare data. The likelihood of a breach in each area is then calculated.

After making those projections, the formula is calculated by establishing a baseline loss of patients, estimating the average revenue for each patient, determining how many would switch to a competitor and adding in a “viral factor”–how word-of-mouth would affect other patient defections, noted the report. Similar equations are used for loss of new customers, new business partners and staff.

Along with those figures, costs for a public relations campaign and stock losses if the entity is publicly-traded also get factored in, along with productivity losses connected with the distraction of containing a big breach.

“Healthcare providers and supporting organizations don’t currently have sufficient security and privacy budgets, including adequate processes and resources, to protect sensitive patient data,” Larry Ponemon, founder of the Ponemon Institute, which focuses on data breach issues, said in the report. “This report will help them understand what they need to do to augment their efforts.”